Solved

User's My Documents folder Redirection and Administrator Access

Posted on 2009-03-31
8
610 Views
Last Modified: 2012-05-06
I need to move our user folders in a Win2k3 domain over to a new file server.  It looks as if the GPO to setup folder redirection at one point must have had the Grant user exclusive rights option either enabled or not configured, as I am runing into hundreds of folders that I cannot access as the users are the only ones that have access to them.  The GPO is not set that way now, but the folder permissions apparently do not get updated.  I can go in individually to these folders, take ownership, and then reset the permissions to gain access to them.  Does anyone know of a scripted way, or something, to do this across the board, without messing up the permissions as they are now??
0
Comment
Question by:jvincent9
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 27

Expert Comment

by:bluntTony
ID: 24028241
You can change the owner for the top level folder (i.e. the shared folder), and check 'Replace owner on subcontainers and objects'. This will make you then owner of all sub-objects.
Once you have given yourself ownership, you can then grant yourself the required permissions to the top folder, also checking the 'Replace permissions entries on all child objects...' checkbox.
You'll then have permissions to move/edit all the sub folders of the main shared folder. Failing this you could script it, but this should work I think.
0
 

Author Comment

by:jvincent9
ID: 24028735
I have looked into that route...  From what I have seen doing a folder at a time thus far, when I take ownership of the top level folder (the users folder in this case, to get ownership of their My Documents subfolder), it wants to grant the owner exlusive rights to the My Documents folder because I currently don't have access to it...  This will blow the users permissions away, and then I need to go back up to the level of the user's folder, and re-apply the permissions down so they get access back to their My Documents folder...  Is that making sense?
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24028830
Changing yourself to the owner won't affect the user's permissions - this just allows you to then edit the permissions. You can then add yourself in to the ACL with the required permissions, still leaving the user's permissions intact.
If you do this on the root folder (the one that is shared - you'll need to log on the server to do this locally or via RDP), change owner/apply the permissions to all sub-objects as described above - you should be in business.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:jvincent9
ID: 24030817
here is what I mean...  Admin group is already the owner of each user folder.  We have a My Documents folder under each of those that is the redirected user folder that we don't have permissions to...  See screenshot attachment.  When trying to filter the ownership down to the subfolders, I am presented with this.  If I say Yes, it replaces all permissions, and just adds the admin group with full control, removing the user's permissions.  I can then go back up to the user root folder, and push the permissions back down, and that is OK...  But I'm dealing with possibly a few thousand user folders that are affected this way...
owner.jpg
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24031527
OK, how about running a backup job to make a copy of the folders. Schedule an NTBackup job to back the folders up using the context of a user you have placed in the 'Backup Operators' local group on the file server.
You can then restore to the new server - worth testing on a handful first.
Either that, or you could apply the permissions under the SYSTEM context, scripting the use of cacls during a startup script would do it, be this seems a bit convoluted. I'd try the backup.
0
 

Author Comment

by:jvincent9
ID: 24031988
any idea on how to run a script under the system context?  I might actually give that a try first based on the amount of data that I would need to restore from a backup...  I already have some cacls.exe scripts that I could tweak if I could just run them as a user that can modify the folder/file ACLs.
0
 
LVL 27

Accepted Solution

by:
bluntTony earned 500 total points
ID: 24037550
You can open a cmd window in the SYSTEM context using the following method. It's not the best but it works. You have to run this locally on the machine, not from an RDP session as the cmd window will only open on the console session:
From the command prompt, type:
sc create testsvc binpath= "cmd /K start" type= own type= interact
..this creates a service called 'testsvc' which opens the command prompt in the SYSTEM context. To start the service:
sc start testsvc
...you'll get an error message saying that the service failed to start in a timely fashion, but a cmd window will pop up. A quick check in Task manager will show the process as running under the SYSTEM context. You can then launch this service each time you need to do this.
Try and runn cacls in this cmd window...
0
 

Author Closing Comment

by:jvincent9
ID: 31564782
Coolest solution ever!  Thanks bluntTony!  Within the cmd running as System I am able to inject the administrators group to the ACL of all user folders now.  Awesome solution!!!  Thanks again!
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the steps required to use the default Photos screensaver to display branding/corporate images
Let's recap what we learned from yesterday's Skyport Systems webinar.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question